joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

"Extending" Password Expiration for Specific Active Directory Accounts

by @ 10:08 am on 9/5/2013. Filed under tech

I recall sharing how to extend an Active Directory user’s password expiration previously somewhere, probably on the ActiveDir Org list but perhaps even in this blog… I don’t remember exactly where. This topic popped up in my head this morning because I saw via twitter (@joewaredotnet) that someone released a tool called "AD Password Extender" – http://www.mannerud.org/software/ad-password-extender/

 

Basically you are resetting the password last set date for a user id so that they are "starting fresh" with whatever policy is in effect for their password expiration (Password Settings Object or Domain Policy).

If you want a formal tool to do it, check out the tool above. If you just want to use mechanisms you already have available (any LDAP modification tool should work), you simply have to write a 0 into pwdLastSet (which immediately expires the account) and then a -1 into pwdLastSet which sets the value to the current date. Now that the value is set to the current date any policy checking for expiration will not know a difference and think the user truly changed their password on that date.

Here is an example with AdMod…

[Thu 09/05/2013  9:48:43.31]
C:\>adfind -default -f name=$joe pwdlastset -tdcd

AdFind V01.47.00cpp Joe Richards (joe@joeware.net) October 2012

Using server: CHILD-TADI-DC1.child.testadi.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=child,DC=testadi,DC=loc

dn:CN=$joe,CN=Users,DC=child,DC=testadi,DC=loc
>pwdLastSet: 2013/05/25-01:34:39 Eastern Daylight Time (-103 days 8 hours 14 minutes 30 seconds)

1 Objects returned

[Thu 09/05/2013  9:49:10.96]
C:\>adfind -default -f name=$joe -dsq | admod pwdlastset::0

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

DN Count: 1
Using server: CHILD-TADI-DC1.child.testadi.loc:389
Directory: Windows Server 2008 R2

Modifying specified objects…
   DN: CN=$joe,CN=Users,DC=child,DC=testadi,DC=loc…

The command completed successfully

[Thu 09/05/2013  9:49:29.44]
C:\>adfind -default -f name=$joe pwdlastset -tdcd

AdFind V01.47.00cpp Joe Richards (joe@joeware.net) October 2012

Using server: CHILD-TADI-DC1.child.testadi.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=child,DC=testadi,DC=loc

dn:CN=$joe,CN=Users,DC=child,DC=testadi,DC=loc
>pwdLastSet: 0000/00/00-00:00:00  (UNDEFINED)

1 Objects returned

[Thu 09/05/2013  9:49:31.69]
C:\>adfind -default -f name=$joe -dsq | admod pwdlastset::-1

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

DN Count: 1
Using server: CHILD-TADI-DC1.child.testadi.loc:389
Directory: Windows Server 2008 R2

Modifying specified objects…
   DN: CN=$joe,CN=Users,DC=child,DC=testadi,DC=loc…

The command completed successfully

[Thu 09/05/2013  9:49:37.11]
C:\>adfind -default -f name=$joe pwdlastset -tdcd

AdFind V01.47.00cpp Joe Richards (joe@joeware.net) October 2012

Using server: CHILD-TADI-DC1.child.testadi.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=child,DC=testadi,DC=loc

dn:CN=$joe,CN=Users,DC=child,DC=testadi,DC=loc
>pwdLastSet: 2013/09/05-09:49:37 Eastern Daylight Time (-2 seconds)

1 Objects returned

Rating 4.25 out of 5

Comments are closed.

«
»

[joeware – never stop exploring… :) is proudly powered by WordPress.]